Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
News Element Elementor Blog Magazine plugin for WordPress can delete database tables and files
CVE-2026-2284
Summary
An attacker with a WordPress account can delete important database tables and files, causing permanent data loss. This can happen because the plugin doesn't properly check if a user has permission to make these changes. To fix this, update the plugin to the latest version, which has the necessary security fixes.
Original title
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce...
Original description
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss.
nvd CVSS3.1
5.4
Vulnerability type
CWE-862
Missing Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026